From 36e5202181452c385b52e183e50166dec6c456d9 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 6 Feb 2014 15:36:12 +0100
Subject: move leap_webapp.conf template to common.conf which is included by
 the nagios and webapp node (#5096)

---
 .../site_apache/templates/vhosts.d/common.conf.erb | 72 ++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb

(limited to 'puppet/modules/site_apache/templates/vhosts.d/common.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
new file mode 100644
index 00000000..30f0a6b1
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -0,0 +1,72 @@
+<VirtualHost *:80>
+  ServerName <%= domain %>
+  ServerAlias www.<%= domain %>
+  RewriteEngine On
+  RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName <%= domain_name %>
+  ServerAlias <%= domain %>
+  ServerAlias www.<%= domain %>
+
+  SSLEngine on
+  SSLProtocol -all +SSLv3 +TLSv1
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLHonorCipherOrder on
+
+  SSLCACertificatePath /etc/ssl/certs
+  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
+  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
+  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt
+
+  RequestHeader set X_FORWARDED_PROTO 'https'
+
+  <IfModule mod_headers.c>
+<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+<% end -%>
+    Header always unset X-Powered-By
+    Header always unset X-Runtime
+  </IfModule>
+
+<% if (defined? @services) and (@services.include? 'webapp') -%>
+  DocumentRoot /srv/leap/webapp/public
+
+  RewriteEngine On
+  # Check for maintenance file and redirect all requests
+  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+  AllowEncodedSlashes on
+  PassengerAllowEncodedSlashes on
+  PassengerFriendlyErrorPages off
+  SetEnv TMPDIR /var/tmp
+
+  # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes)
+  <Location /assets/>
+    Header unset ETag
+    FileETag None
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+  </Location>
+<% end -%>
+
+
+<% if (defined? @services) and (@services.include? 'monitor') -%>
+ <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <% if (defined? @services) and (@services.include? 'webapp') -%>
+    PassengerEnabled off
+ <% end -%>
+    AllowOverride all
+    # Nagios won't work with setting this option to "DENY",
+    # as set in conf.d/security (#4169). Therefor we allow
+    # it here, only for nagios.
+    Header set X-Frame-Options: "ALLOW"
+  </DirectoryMatch>
+<% end -%>
+</VirtualHost>
+
-- 
cgit v1.2.3